Biometric-bound credentials take stage at EAB talk from Trust Stamp’s CSO

The latest EAB Member Lunch Talk from the European Association for Biometrics features Dr. Norman Poh, chief science for Trust Stamp, who speaks on the topic of biometric-bound credentials and how they enable zero knowledge proof (ZKP) applications.

Poh defines binding as the process of capturing a biometric sample, “generating an internal secret and using that secret to encrypt an external secret.” Likewise, unbinding is when the secret is decrypted as part of the verification flow. The goal, he says, is to “bind your face to an external secret” – or private key – so that biometric data is linked directly to cryptographic credentials.

“Effectively,” he says, “you are your authenticator.”

Pho says the process also generates a data package called a sketch, which is needed to later reconstruct the internal secret once the algorithm receives another biometric capture of the same individual. This packet of “helper data” is stored with the encrypted key in what Poh calls a “registration artefact.”

The algorithms Poh refers to as the key-generating biometric cryptosystem (or “fuzzy extractor”) for encoding and key binding biometric cryptosystem (or “fuzzy vault scheme”) for decoding are governed by ISO/IEC 24745:2022 – Biometric information protection. The internet secret “does not correlate with biometrics” but, during the encoding process, is mixed with data from a biometric stable signal to create the Sketch – from which neither original piece of data can be derived.

When an additional biometric scan is mixed with the stable signal and the sketch, the internal secret can be decoded. Secure implementation requires liveness detection, post-quantum ready cryptography and cryptographic sharding of the sketch between a client and server, or what Poh calls a “split trust model.” Once the server shard is downloaded onto a device, it can be used offline – which, says Poh, can be especially useful for digital travel credentials.

In describing workflows for provisioning a second device and account recovery, Poh positions biometric-bound credentials as the next step in the evolution of secure, passwordless biometric authentication.

While FIDO2 passkeys are “very much device-specific,” making them vulnerable to “friendly fraud” by individuals who have access to a device, biometric bound credentials and the biometric cryptosystem model of Trust Stamp’s stable IT2 implementation offers privacy by design, enable sharable passkeys and ensure “genuine presence” – which Poh compares to World’s clumsily named “proof of human” model – using a secure ZKP protocol.

In summary, says Poh, the system “addresses account recovery, can perform offline authentication, enables ZKP of human presence and is device agnostic.”

More on the EAB Member Lunch Talk series can be found here.

Article Topics

biometric authentication  |  biometric binding  |  biometrics  |  biometrics research  |  EAB  |  EAB 2025  |  European Association for Biometrics  |  post-quantum cryptography  |  Trust Stamp  |  zero knowledge